The Charity Commission and Security Incident Reporting

There has been a development in charity regulation by the Charity Commission in recent years to transfer regulation and reporting onto charity trustees. This has, not surprisingly, coincided with cutbacks at the Charity Commission at a time when the role of charities has been expanding.

The key to imposing these extra burdens on charity trustees is the Charity Commission’s use of Section 60 of the Charities Act 2011 to ask questions. This statutory provision makes it a criminal offence for a person to knowingly or recklessly provide the Charity Commission with information which is false or misleading. The offence is wide enough to cover withholding information. The offence could potentially lead to a maximum fine or two years’ imprisonment – a sobering thought.

When the charity trustees complete their annual return they will see that Section 60 is cited and they are warned that a failure to properly answer the questions set could lead to a prosecution under that section. At the same time the annual return has been expanded to ask more questions such as whether there have been any serious incidents and questions about overseas funding, staff salaries, safeguarding of children and vulnerable adults, grant funding from government, whether trustees have resigned and then appointed as staff and whether any charity trustees are directors of a trading subsidiary. All of these questions have potential regulatory consequences depending on how they are answered.

Incident Reporting

Although serious incident reporting is not, in itself, a legal requirement, it becomes one when charity trustees complete the annual return and have to answer the question about whether there have been any serious incidents during the year which have not been reported under the obligation imposed by Section 60.

According to the Commission, a serious incident is an adverse event, whether actual or alleged, which results in or risks one or more of the following:

  • significant harm to a charity’s beneficiaries, staff, volunteers or others who come into contact with the charity through its work
  • loss of a charity’s money or assets
  • damage to a charity’s property
  • harm to a charity’s work or reputation.

Prompt, full and frank disclosure of an alleged serious incident and how the charity’s trustees are dealing with it must be reported. Harm to a charity’s work or reputation is extremely wide and captures most situations. It is better to err on the side of reporting to be on the safe side and avoid the risk of failing to report. Also the Charity Commission has told practitioners that when considering potential liability they will take into account whether trustees have filed a serious incident report.

Reports that indicate individuals are at risk or there is risk of serious harm to a charity’s work will be prioritised by the Commission, as well as situations where trustees require advice and guidance on how to deal with the incident.

Auditors and independent examiners acting for charities are also be under a duty to report such incidents to the Charity Commission under Section 156 Charities Act 2011, where they become aware of a matter of material significance to the Commission or have reasonable cause to believe an incident is likely to be relevant to the Commission. In a review of audit reporting under the Section 156 duty in February 2018, it was found that only 28 reports were submitted out of 114 audit opinions containing information that should have been reported. In April 2020, the Charity Commission released updated guidance to independent examiners and auditors on this reporting requirement and announced that it will be carrying out an ongoing review of all independent examination reports or audit opinions signed after May 2020 which contain a qualification, modified opinion or other reporting paragraph to confirm that a report of a matter of material significance has been promptly filed at the Charity Commission.

Read more in our blog ‘Handling a cyber incident when an attack comes’

Avoid Risk Now

There is obviously an overlap between serious incidents and matters of material significance and both reporting obligations should be considered together. The Charity Commission’s increased focus on this area and published statistics suggests there has been under reporting which will no longer be tolerated by the Charity Commission.

For more information or to discuss security incident handling, risk strategy and supporting policies, please get in touch with us on 01904 562200, email [email protected] or fill in the form opposite and a member of the team will get back to you.